← back
CVE-2020-37192

MSN Password Recovery 1.30 - XML External Entity Injection

CVSS 6.7 MEDIUMEPSS 0.2%CWE-611
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.7EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
11 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
MSN Password Recovery 1.30 contains an XML external entity injection vulnerability that allows attackers to read local system files through crafted XML input. Attackers can exploit the 'Favorites' tab by injecting a malicious XML file that references external entities to retrieve sensitive system configuration information.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
Top Password Software · MSN Password Recovery

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.exploit-db.com/exploits/47896https://www.top-password.com/https://www.vulncheck.com/advisories/msn-password-recovery-xml-external-entity-injection